March 17, 2005

British authorities stymied a massive bank heist that reportedly was dependent on a keylogger, the same kind of spyware that has jumped three-fold in the last year and puts consumers at risk from hackers and phishers.

According to reports in the British media from the BBC and the Financial Times, among others, the scheme was set to steal 220 million pounds ($423 million) from the London offices of the Japanese bank Sumitomo Mitsui. The National Hi-Tech Crime Unit (NHTCU), the country's cyber-cops, began investigating last October after the bank discovered that hackers had infiltrated its network and were using a keylogger to capture keystrokes.

Keyloggers, a type of spyware, are used by hackers and increasingly, by phishers, to snatch users account information--such as log-in names and passwords--and grab other lucrative data, including credit card numbers.

Police arrested an Israeli man, identified as Yeron Bolondi, 32, in Israel after an attempt was made to transfer 13.9 million pounds ($26.8 million) into an account there. All told, the gang was planning to transfer the $423 million to 10 different bank accounts, said police.

Bolondi appeared in a Tel Aviv district court early Thursday, and was charged with attempted money laundering and deception. He will be kept in custody for at least a week as police continue their investigation.

If it had been successful, the robbery would have dwarfed Britain's previous record, the armed theft of £26 million ($50 million) from Belfast's Northern Bank in December, a crime thought to have been conducted by the IRA.

The NHTCU would not confirm whether the keylogger was planted by an inside accomplice, or inserted by hackers working outside the bank's network.

"From what we know from our SpyAudit data, there's a good chance this wasn't even a planned attack," said Richard Stiennon, the vice president of threat research for Boulder, Colo.-based anti-spyware vendor Webroot.

According to Webroot's SpyAudit, a for-free spyware auditing tool it makes available on its own site as well as to EarthLink subscribers, 15 percent of enterprise PCs tested have a keylogger already installed.

"They could've gotten a keylogger onto the bank's network by tricking an employee [in a phishing-style scam] or walking into the bank and sitting at an employee's terminal," said Stiennon. "But why Sumitomo? Why not a bigger bank, like Barclays? It may be because they broke into the network another way and only then noticed that a machine was already infected with a keylogger.

"It reminds me of how Microsoft was hacked back in 2004, when a Microsoft developer's home computer lead the hackers into Microsoft. The same thing may have happened here, where the thieves recognized that they'd hit the mother lode by stumbling across the keylogger-infected system."

Keylogger infections have exploded in the last year. British security firm Sophos said that the number of keyloggers it's spotting daily has jumped three-fold in the past 12 months.

"It all comes back to this ongoing trend of more and more malicious code being developed with keyloggers," said Gregg Mastora, a senior security analyst with Sophos. Criminals have pushed especially hard the last three to four months. "Clearly, [they've] upped their efforts online," he added. "A keystroke logger is just like a thief looking over your shoulder as you type in your PIN at the ATM. Except in this case, you never leave the 'security' of your own home, and neither does the thief."

Webroot's numbers are a bit more conservative, said Stiennon, but still show a big jump in keyloggers. Its audit reports, he said, have shown a doubling of keylogger prevalence on PCs, from about 8 percent 12 months ago to 15 percent today.

Both Stiennon and Mastora warned that the foiled robbery in Britain should be a wake-up call to everyone.

"A good percentage of the online community continues to put themselves at risk by accessing the Internet while being unprotected by up-to-date protection software," said Mastora.

"I think this is just the tip of the iceberg," said Stiennon. "When you hear of a bank foiling an attempt, it's almost always the case that [successful] hacks have already occurred."

ABOUT THE AUTHOR